I'm not an application developer - Ill start off with that caveat.
In Brief; our development team have asked for me to open a series of ports from WAN to LAN completely bypassing our DMZ. They say this is fine because their api secures the connection first from two webservers in the DMZ (using diffie helman but that's another story) but were a little unsure that having open ports from WAN to LAN can ever be secure - can anyone enlighten me on the viability of this from a security standpoint?
Should not the end user always communicate to the DMZ and then a server within this do all the communication to any internal servers?
The very idea of having a DMZ zone, is to protect LAN from direct access from internet. Which means the services/servers that require user's access from Internet to function (like Webserver, E-Mail Server etc.) are put on a seperate Network and allowed contolled access from outside. Having a seperate Netowrk segment (DMZ) makes it possible to apply different firewall policies for different segments and access control from one segment to the other. This also makes extensive monitoring of the vulnerable segment possible and in case of a security breach, the internal LAN segments may stay secure.
Therefore, if your organization already has a DMZ net and a policy in place, then the new proposal just violates the very idea of having network segmentation for security and needs to be scruitinized thoroughly. May be an alternative solution keeping the existing network architechture is possible.